In point of sale systems, authorization takes the form of validation of credit card charges.

Navigation and accessing the glossary

There are two ways to navigate between topics in this guide.

• click on the topic in the navigation bar on the left side of each page
• move backward or forward to the next topic by clicking the "Back to _" or the "On to _" title at the bottom of the page

Glossary words are highlighted in green text. Simply click on the highlighted word to be directed to the glossary window.

Note:  The glossary will open on the first term that begins with the same letter as the word you clicked on. Scroll down to locate the specific term you are seeking.

Welcome to credit card transaction training

This training material is for campus personnel who will have access to credit card information either when:

• processing a credit card transaction or
• reviewing reports containing personal credit card information 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements developed by credit card companies to ensure consistent security measures for sensitive credit card holder data. All UCSC merchants, i.e. units and departments that accept credit card payments, must comply with PCI DSS requirements.   Those standards require completion of this training on data security standards (DSS) by each individual prior to his/her involvement with a credit card transaction or review of a report containing credit card data.

The information in this guide was current as of its publishing date of September 2008.  However, card acceptance, processing and chargeback procedures are subject to change due to the ever changing demands of the Payment Card Industry.  This guide contains information based on the current University of California Santa Cruz (UCSC) Procedure and Payment Card Industry (PCI) Security Standards.  If there are any technical differences between the PCI Operating Regulations and this guide, the PCI Operating Regulations will prevail.  The merchant agreement and the PCI Operating Regulations take precedence over this guide or any updates to its information.

Some segments of this training have been adapted from the Rules for Visa Merchants — Card Acceptance and Chargeback Management Guidelines © 2005 Visa U.S.A. Inc.

Overview PCI-DSS

Almost daily, thefts of identities and personal information are reported in the news. When our customers offer their bankcard at the point of sale, over the internet, on the phone, or through the mail, they need assurance that their account information is safe. In response to this need, the Payment Card Industry Data Security Standards (PCI-DSS) were developed and adopted here at UCSC. Since June 2001, PCI has served to ensure that industry members, merchants, and service providers maintain the highest information security standards.

About the program

WHAT

• PCI-DSS is a critical component for minimizing risk and maximizing protection. Mandated since June 2001, this robust program is intended to protect cardholder data—wherever it resides.

WHO

• UCSC Merchants must be PCI-DSS compliant and are responsible for ensuring their compliance. The program applies to all payment channels, including: in person, mail/telephone order, and e-commerce.

HOW

• To achieve PCI compliance, UCSC Merchants and service providers must adhere to the Payment Card Industry Data Security Standards (PCI-DSS), which offer a single approach to safeguarding sensitive data for all card brands. PCI-DSS compliance validation identifies and corrects vulnerabilities by ensuring appropriate levels of cardholder data security are maintained.

WHY

• By complying with PCI-DSS requirements, UCSC Merchants and service providers not only meet their obligations to the Payment Card Industry, but also build a culture of security that benefits all parties.

The importance of training

Above all else, this training serves to provide you with the knowledge and skills necessary to ensure credit card security. It is important to recognize that everyone, not just the credit card companies, benefits from the effective application of credit card security measures:

Your customers

• Appreciate your ability to reduce the threat of identity theft
• Trust you to complete transactions without creating duplicate or invalid charges
• Enjoy peace of mind, knowing that their credit card information is in good hands

The university

• Takes pride in a skilled workforce
• Values your ability to build customer confidence
• Needs your help in limiting potential losses, fines & penalties

... and you! 

• Will have confidence in your ability to safely and efficiently do your job
• Will recognize and evaluate key security features on valid cards
• Will be alert to the warning signs of fraud
• Will know that you can make informed decisions under pressure

Training benefits

Throughout the next few sections, you will learn about your role in retail fraud prevention and the appropriate steps to take if you feel that your unit's credit card security has been compromised. It is critical that you read, retain and refer to this information, as needed, so that your customers and the University are served as safely and efficiently as possible.  Each section covers a unique and important part of credit card safety. This training is comprised of the following sections:

• UCSC Procedures outline the general rules and guidelines instituted by UCSC for accepting credit cards and implementing the credit card process.
• Payment Card Industry (PCI) Data Security Standard (DSS) discusses credit card acceptance, security, and Cardholder Information Security Program (CISP) certification policies required by PCI_DSS.
• Card-Present Fraud Prevention explores credit card security features and other prevention tactics for Card-Present (in-store) transactions.
• Card-Not-Present Fraud Prevention explores credit card security features and other prevention tactics for Card-Not-Present (mail, phone & online) transactions.
• What to do if Security is Compromised explains the steps for reporting a questionable card or customer, while ensuring your personal safety and the safety of other customers and co-workers.

Who it applies to

This training is applicable to all campus personnel who have access to credit card information, either as a processor of credit card transactions or as a reviewer of reports that contain identifying credit card data. Throughout this training, the term “UCSC Employee” is expanded to include anyone who has access to credit card information working in any capacity for the University including:

• Staff
• Students
• Faculty
• Administrators
• Temporary employees
• Volunteers

Note:  The term "merchant" refers to any campus unit or department which accepts credit cards for payment - either in person or via other means, e.g. via the web.

Overview & accepted forms of payment

Throughout this training you will learn about the credit card acceptance and security guidelines instituted by UCSC.

Accepted forms of electronic payment

UCSC Merchants accept the following four major credit cards:

• Visa
• MasterCard
• Discover
• American Express

This training focuses on the security features and policies implemented by the Payment Card Industry (PCI) Data Security Standard (DSS).

The PCI Procedures have been divided into sections by topic. It is critical that you read this information carefully and ask your supervisor for assistance if you require further information or clarification regarding your responsibilities.

Accountability/Applicability

The procedures covered in this training material apply to all individuals who have access to credit card information, in any form, at a University of California Santa Cruz "merchant" location. A merchant is any UCSC unit which accepts credit cards.  As stated, if you have access to credit card information as part of your job responsibilities at UCSC, you are accountable for maintaining the security of that information.

Employee commitment

It is the responsibility of all university employees and third parties having access to cardholder data to protect that information at all times as a sacred trust. Cardholder information is to be disclosed only when there is a required business purpose.

All UCSC merchants, employees, and third parties with access to credit card information are responsible for safeguarding the information and associated cardholder data that is in their care. Credit card and cardholder data can only be shared with others when it is done as part of normal business procedures, such as processing payments or giving transaction receipts to a supervisor at the end of a shift.

When a university employee (or volunteer) suspects the loss or theft of any materials containing cardholder data, it is vitally important to immediately notify the supervisor and the Campus Police Department. Local police should also be contacted if the theft occurred off campus.

Designated staff in each department will implement the procedures for security breaches that are available on the PCI Website.

If you ever believe that there may have been a breach in the security of credit card information, regardless of whether or not you are directly involved, alert your supervisor immediately as well as Information Technology Services (ITS) at 459-HELP or . ITS will assess the breach and contact both the UCSC Police Department and the University Controller’s Office as needed.

Examples of lost or stolen materials containing cardholder data include, but are not limited to:

• A credit card
• Daily credit card terminal tapes
• Computer files containing cardholder data

Later in this training we will define the exact steps to take if you feel that security has been compromised.

UCSC Procedures overview

UCSC requires a number of standards to protect credit card information held and/or used at the University. Responsibilities and requirements for the employees/volunteers and units are listed below.

Employee & volunteer requirements/procedures

Each full or part time employee, student employee, temporary employee or volunteer with access to more than one credit card account at a time must submit to a background check. Cashiers handling one credit card at a time are excluded from this requirement unless they also process other types of cash transactions totally $750 or more per week.  

Each employee or volunteer must sign the PCI Annual Certification: (Excel | PDF), stating that  he/she has read and understands all of the PCI requirements. It is the unit supervisor's responsibility to maintain a file of these forms and to ensure each employee signs a new form annually.

• The supervisor must ensure that each employee:
• has proper authorization prior to allowing them access to restricted data, and
• understands that they are never to share or discuss restricted data with an unauthorized individual.
• Always store the minimum amount of restricted data necessary for completing job functions.
• Use unique passwords that can’t easily be guessed, and protect those passwords from being compromised.
• Good, unique passwords use a mixture of upper and lower case letters, numbers, and symbols; are at least 8 characters in length; are easy to remember and difficult to guess.
• Do not share passwords or private account information with anyone.
• Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
• Always physically secure files, and equipment before leaving the work area, i.e. do not leave credit card information unattended.
• Check doors, drawers, and windows.
• Lock up any sensitive materials.
• Never share lock codes, access cards, keys, etc.
• Question people in the work area whom you don't recognize.
• Outside of normal business hours, don't hold doors open for unknown people.
• Secure laptop computers at all times: laptops must be with their assigned employee or locked up if the employee steps away.
• At all times: in the office, at meetings, conferences, coffee shops, etc.
• Make sure any laptop is locked to or in something permanent! 
• Make sure the computer is protected with the most recent anti-virus software and that all necessary security "patches" and updates are current. 
• Don't keep sensitive information or your only copy of critical data on portable devices (laptops, CDs/floppies, memory sticks, PDAs, phones, etc.) unless they are properly protected.
• These items are extra vulnerable to theft or loss.
• Do not install unknown or unsolicited programs on computers.
• For example, programs found out about through email.
• These can harbor behind-the-scenes computer viruses or open a "back door" giving others access to your computer without your knowledge.
• Ask the ITS Support Center (459-HELP) if you're not sure.
• Make backup copies of data you are not willing to lose and store the copies very securely
• Be safe on the internet.  Do not provide personal or sensitive information (including passwords) to internet sites, surveys, or forms unless you are using a trusted, secure web page.
• Look for "https" in the URL and the little locked padlock that appears in the corner of most browser windows to indicate that there is a secure connection.
• Don't click on unsolicited web links, including in email or pop-ups.  Just opening a malicious web page can infect a poorly protected computer, so be aware of where you are going before clicking on a web link.
• Instead of clicking on an unsolicited web link, look up web pages you are interested in on your own and go there directly using a search engine.
• Practice safe emailing.
• Do not open email attachments or click on website addresses in emails unless you really know what you are opening.
• Delete spam and suspicious emails; don't open, forward or reply to them.
• Email that contains restricted data must be treated with care and should not be preserved any longer than absolutely necessary.
• Make sure your email client (Thunderbird, Eudora, Outlook, etc.) is configured for secure authentication and secure sending and receiving of email. More information on this topic is available at the CruzMail website.
• Configure your email client to delete attachments when emptying the 'Trash'. Most email programs have this choice in the preferences, settings or options. 
• Contact the ITS Support Center at 459-HELP with email questions or problems.
• Ensure your computer requires a password to boot up or wake-up.
• Be sure that automatic login and guest accounts are disabled on your computer.
• Restricted data must be encrypted when it is transmitted. This includes email, remote access, and workstation/server communications.
• If you send files or attachments containing restricted data, work with ITS to set up a way to send them securely.
• Be sure your workstation is set up to prevent unauthorized individuals, e.g. passers-by, from viewing the information on your monitor.
• Shut down, lock, log off, or put your computer to sleep before leaving it unattended.
• For additional security, set up your computer to "lock," "sleep," or "auto log-off" when it is inactive. 
• To log off on a PC press <ctrl><alt><delete> simultaneously
• To log off on an Apple go to the drop down menu under the Apple logo.

Merchant requirements/procedures

Merchant location requirements

• Protect cardholder information so that only the last four digits of the credit card number are displayed or printed. Never send unencrypted Primary Account Numbers (PAN) by e-mail.
• Store only credit card information that is critical to the business: name, account number, and expiration date.
• Store only cardholder data that is encrypted or truncated.
• Ensure that all transmissions of sensitive credit card data are encrypted.
• Never store the three or four-digit Card Verification Value (CVV2) code in any form.
• Do not release credit card information in any form unless there is a legitimate business purpose and then only after the request for information is reviewed and approved by the unit’s management.
• Store and secure cardholder data in locked containers, in secured areas with limited access. Examples include electronic data, customer receipts, merchant duplicate receipts, reports, etc. Limit the amount of data stored and retention time to that which is required for business, legal, and/or regulatory purposes as documented by the department.
• Perform an annual review of critical data storage to ensure that all security requirements are met.
• Dispose of cardholder data according to a schedule based on business, legal and/or regulatory requirements as documented by the department. Cardholder data must be disposed of by overwriting or degaussing magnetic media; paper must be cross- shredded.
• Provide all third party vendors with the University's credit card procedures. 
• Maintain written proof that all third party vendors are certified as PCI compliant.
• Give any third party vendors access to credit card data only after a formal contract is signed that outlines the security requirements and requires adherence to the Payment Card Industry Security requirements.
• Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
• Have procedures to help all personnel distinguish between employees and visitors, in areas where cardholder data is accessible.
• Destroy or completely and securely remove all restricted data from computers and electronic media (including back-ups) before disposal, re-use, or re-assignment.

Objectives

Completing the reading in this section will enable you to:

• Practice the process of safe and effective Card-Present processing.
• Identify the key security features on credit cards.
• Locate additional security verification information.
• Understand the importance and application of Code 10 calls.

Overview

Some UCSC merchants process only in-store transactions in which the purchaser and the card are physically present in the campus unit/store.  This type of transaction is called a 'Card Present' transaction.  Other UCSC merchants may be involved in online, mail and telephone shopping options as well. Those transactions are referred to as 'Card-Not-Present' transactions which are covered later in this training material.

If your unit will be processing both Card-Present (in-store) and Card-Not-Present (online, mail and telephone) transactions, it is important to learn the steps needed to prevent fraud in both situations.

In this section you will learn about the key steps applicable to preventing retail fraud when processing Card-Present transactions. It is critical that you take the time to read, retain, and put these techniques into action, so that your in-store customers receive the best possible service and security.

Credit card features and security elements

Each brand of credit card uses a set of unique design features and security elements to help merchants verify a card’s legitimacy. By knowing what to look for on a card, you can avoid inadvertently accepting a counterfeit card or processing a fraudulent transaction.

After you have swiped the card, while waiting for authorization, take a few seconds to look at the card’s basic features and security elements. Checking card features and security elements helps to ensure that the card is valid and has not been altered in any way.

Note:  Check the first digit in the account number. The first digit should always match the designated first digit for the card brand:

American Express – 3

Visa – 4

MasterCard – 5

Discover – 6

Hold onto the card

Note:  Always keep payment cards in your possession during transaction processing. Holding onto the card gives you time to check card features and security elements and to compare the cardholder signature on the card with the signature on the transaction receipt.

What to look for on all cards (using Visa as an example)

Compare the printed and embossed numbers.

A four-digit number is printed below the first four digits of the embossed account number on all valid Visa and MasterCards. These numbers should be identical. If the numbers are not identical or the printed number is missing, the card is not valid and should not be accepted.

Check the embossed account number for evenness and clarity

Look closely at the embossed account number for any signs that the card has been flattened and re-embossed. On valid cards, the numbers will be crisp and even; on altered cards, they may have fuzzy edges, or you may be able to see “ghost images” of the original numbers. The last grouping of numbers is embossed into the hologram. Pay special attention to that area, where ghost images are easiest to spot.

Check the “Good Thru” or “Valid Thru” date

Make sure the date of the transaction is no later than the date on the card. If the transaction date is after the “Good Thru date", the card has expired. In such instances, an authorization request can be called in to your authorization center, or you can ask the customer for a card that is currently valid.

Note: 

• Always request an authorization on an expired card.
• If the Issuer approves the transaction, proceed with the sale.
• Never accept a transaction that has been declined.

Look for the embossed character

Each credit card company has their own unique character embossed on the front of their cards. Visa cards display a stylized embossed “V” located to the right of the “Good Thru” date on all valid Visa cards. If this character is missing or is not a “flying V”, the card should not be accepted. Master Cards issued before June 1, 2006 have a scripted “MC” in this area, and Discover Cards have a stylized “D” in between the “Member Since” and “Valid Thru” dates.

Note:  MasterCards issued after June 1, 2006 will not have the “MC” Security Character. Cards issued before June 1, 2006 will continue to be valid until their expiration date or June 2010, which ever comes first.

Look at the design hologram

Visa, MasterCard, and Discover all employ a holographic security design on their cards. The key for all holograms is that they should reflect light, appear three-dimensional, and the image in the hologram should appear to move or shift when the card is tilted back and forth. If the image looks flat or doesn’t move, the card may be counterfeit.

On Visa cards, a dove should appear in the hologram and it should seem to “fly” when the card is tilted back and forth. MasterCards have interlocking globes showing the continents with the word “MasterCard” in the background. The Discover card hologram shows a celestial sphere made of interlocking rings and an arrow pointer. The word “DISCOVER” appears in very small letters on the shaft of this arrow. The background of the image consists of a repetitive wave pattern with stars scattered throughout.

Note:  On MasterCards, the hologram may appear on the back of the card.

Look at the signature panel

The signature panel is similar for all card types. It should be white with the brand name of the card written repeatedly at an angle across the length of the panel. For example, Visa card signature panels display the word “VISA” reprinted in a diagonal pattern in blue, or blue and gold. On MasterCards, the word “MasterCard” is repeated at an angle in red, yellow, and blue, while “Discover Network” appears diagonally on the signature panel of Discover Cards.

In addition, the words “Authorized Signature” and “Not Valid Unless Signed” appears either above, below, or beside the signature panel of most credit cards.

Check for any signs of tampering

If someone has tried to erase the signature panel, you may see the word “VOID” where the brand name should be displayed. Other signs of tampering include white tape or correction fluid, or “ghost images,” indicating that a criminal has written over or altered the original signature. An altered signature panel means the card is invalid.

Check the account number and security code

On the back of the card, the account number, followed by a three- or four-digit code, may be printed on the signature panel in inverse italics (leaning left). The 3- or 4-digit code is a security and validation code, also referred to as the Card Verification Value2 (CVV2). The CVV2 is used primarily in Card-Not-Present transactions to verify that the customer is in possession of a valid credit or debit card at the time of the sale.

When something doesn’t look right

If any card security features are missing or look altered, notify your supervisor so that they can decide whether or not it will be necessary to place a Code 10 call to your authorization center.

Overview

Card Present transactions are those in which both the card and cardholder are present at the point of sale.

UCSC Merchants are required to take all reasonable steps to assure that the card, cardholder, and transaction are legitimate. Proper card acceptance begins and ends with sales staff and is critical to customer satisfaction and profitability.

Doing it right at the point of sale

Whether you are experienced or new to the job, following these few basic card acceptance procedures will help you to do it right, the first time and every time. The illustration below provides an overview of the card acceptance steps that are to be followed at the point of sale. Each step is explained in greater detail in this section.

It pays to swipe the stripe

On the back of every credit and debit card, is a magnetic stripe. The stripe contains the cardholder name, card account number, and expiration date, as well as special security information designed to help detect counterfeit cards. When the stripe is swiped through the terminal, this information is electronically read and relayed to the card issuer, who then uses it as crucial input for the authorization decision.

Note:

• Swipe the card to request transaction authorization.
• Hold the card throughout the entire transaction.

Verifying the account number

Most Point of Sale terminals (POS) also allow merchants to verify that the account number embossed on the front of the card is the same as the account number encoded on the card’s magnetic stripe. How you check the numbers depends on your POS terminal. In some cases, the magnetic stripe number is displayed on the terminal or printed on the sales receipt. In others, the terminal may be programmed to check the numbers electronically. In such instances, you may be prompted to enter the last four digits of the embossed account number, which will then be matched against the last four digits of the account number on the magnetic stripe.

Only the last four digits of the account or credit card number should be printed on a transaction receipt. If the numbers don’t match, you will receive a “No Match” message. In such instances, discreetly notify your supervisor who will decide whether or not it is necessary to make a Code 10 call

If a card doesn’t read when swiped

In some instances, when a card is swiped, the terminal will not be able to read the magnetic stripe or perform an authorization. When this occurs, it usually results from one of three causes: 

• The terminal’s magnetic-stripe reader is dirty or out-of-order.
• The card is not being swiped through the reader correctly.
• The magnetic stripe on the card has been damaged or demagnetized.

Note:  Damage to the card may happen accidentally, but it may also be a sign that the card is counterfeit or has been altered.

What to do

• Check the terminal to make sure that it is working properly and ensure that you are swiping the card correctly.
• If the terminal is okay, take a look at the card’s security features to make sure the card is not counterfeit or has not been altered in any way (See:  Card Features and Security Elements).
• If the problem appears to be with the magnetic stripe, follow store procedures. You may be allowed to use the terminal’s manual override feature to key-enter transaction data for authorization, or you may need to make a call to your voice-authorization center.

Risks involved

Key-entered transactions are fully acceptable, but they are associated with higher fraud chargeback rates. In addition, when transactions are key-entered, the benefits associated with special security features—such as the expiration date and Card Verification Value 2 (CVV2)—are not available.

Overview

The authorization process allows the card issuer to approve or decline a transaction. In most cases, authorizations are processed electronically in a matter of moments. However, to protect against fraud, the card issuer may request additional information about the transaction. If done properly, authorizing a transaction is quick and easy, and protects merchants against fraud and chargebacks.

Authorization responses

Authorization should be seen as an indication that account funds are available and the card has not been reported as lost or stolen. It is not proof that the true cardholder or a valid credit card is involved in a transaction.

During the authorization process, you should receive one of the responses listed in the following table, or one that is similarly worded.

Upon transaction approval

When a transaction is approved, the Point of Sale (POS) terminal automatically prints a sales receipt. When a negative or alert message is received, the response is displayed on the POS terminal, and no sales receipt is printed. Whatever the message, continue to treat the customer courteously so as not to arouse alarm or suspicion.

Signature and identification

The final step in the card acceptance process is to ensure that the customer signs the sales receipt and to compare that signature with the signature on the back of the card.  When signing the receipt, the customer should be within your full view, and you should check the two signatures closely for any obvious inconsistencies in spelling or handwriting.

While checking the signature, you should also compare the name, account number, and signature on the card to those on the transaction receipt.

1. Match the name and last four digits of the account number on the card to those printed on the receipt.
2. Match the signature on the back of the card to the signature on the receipt.  The first initial and spelling of the surname must match.

Note:  The embossed name and signature do not need to be the same.

For suspicious or non-matching signature, notify your supervisor discreetly that it is necessary to make a Code 10 call.

Note:  If the transaction is accepted with a non-matching signature and it turns out to be fraudulent, your business may be liable, even if all other procedures were followed.

Unsigned cards

While checking card security features, also make sure that the card is signed. An unsigned card is considered invalid and should not be accepted. If a customer gives you an unsigned card, the following steps must be taken:

1. Check the cardholder’s ID. Ask the cardholder for some form of official government identification containing their photograph, such as a driver’s license or passport. Social Security Cards are not acceptable forms of identification. The ID serial number and expiration date should be written on the sales receipt before you complete the transaction.
2. Ask the customer to sign the card. The card should be signed within your full view, and the signature checked against the customer’s signature on the ID. A refusal to sign means the card is still invalid and cannot be accepted. Ask the customer for another signed credit card.
3. Compare the signature on the card to the signature on the ID. If the cardholder refuses to sign the card, and you accept it, you may end up with financial liability for the transaction should the cardholder later dispute the charge.

Note:  The words “Not Valid Without Signature” appear above, below, or beside the signature panel on most credit cards.

“See ID” in lieu of signature

Some customers write “See ID” or “Ask for ID” in the signature panel, thinking that this is a deterrent against fraud or forgery; that is, if their signature is not on the card, a fraudster will not be able to forge it. In reality, criminals don’t take the time to practice signatures: they use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signatures—they may even have access to counterfeit identification with a signature in their own handwriting.

“See ID” or “Ask for ID” is not a valid substitute for a signature. The customer must sign the card in your presence, as stated above.

Note:  A refusal to sign means the card is still invalid and cannot be accepted. Ask the customer for another signed credit card.

Suspicious behavior

In addition to following all standard card acceptance procedures, be on the lookout for any customer behavior that appears suspicious or out of the ordinary.

At the point of sale

• Purchasing large amounts of merchandise with seemingly no concern for size, style, color, or price
• Asking no questions or refusing free delivery on large items (for example, heavy appliances or televisions) or high-dollar purchases
• Trying to distract or rush sales associates during a transaction
• Making purchases, leaving the store, and then returning to make more purchases
• Making purchases either right after the store opens or just before it closes

Of course, peculiar behavior should not be taken as automatic proof of criminal activity. Use common sense and appropriate caution when evaluating any customer behavior or other irregular situation that may occur during a transaction. You know what kind of behavior is normal for your particular place of business.

If you feel really uncomfortable or suspicious about a cardholder or transaction, notify your supervisor discreetly that it is necessary to make a Code 10 call. In any situation where making the call with the customer present feels inappropriate or unsafe, complete the transaction, return the card, and make the call immediately after the customer leaves. See:  Code 10 Calls for additional information.

Overview

The best practices listed in this section will help keep key-entered transactions at acceptably low levels and should be incorporated into your daily operations, staff training and review sessions.

Find causes and look for solutions

If your key-entered rates are greater than one percent per terminal or sales associate, investigate the situation and try to find out why. The following chart summarizes the most common reasons for high key-entry rates and provides possible solutions.

Code 10 calls

Code 10 calls allow UCSC merchants to alert card issuers of suspicious activity and to take appropriate action when instructed to do so. You or your supervisor should make a Code 10 call to your voice authorization center whenever you are suspicious about a card, cardholder, or a transaction. The term “Code 10” is used so the call can be made at any time during a transaction without arousing a customer’s suspicions.

To make a Code 10 call, you or your supervisor will call the credit card company’s voice authorization center, and say, “I have a Code 10 authorization request.”

It is important to note that Code 10 calls can be time consuming. The call may first be routed to a representation of your merchant bank who may need to ask you for some merchant or transaction details. You will then be transferred to the card issuer and connected to a special operator who will ask you a series of questions that can be answered with a simple yes or no.

• When connected to the special operator, answer all questions calmly and in a normal tone of voice. Your answers will be used to determine whether the card is valid.
• Follow all operator instructions.
• If the operator tells you to pick up the card, do so only if recovery is possible by reasonable and peaceful means. UCSC employees are not obligated or expected to confiscate credit cards.

Making a Code 10 call after a transaction

Sometimes you may not feel comfortable making a Code 10 call while the cardholder is at the point of sale, or you may become suspicious of a cardholder who has already left the store even if the transaction was not completed.

It is important to know that Code 10 calls can be made even after a cardholder leaves the store.  A Code 10 alert at that time may help stop fraudulent card use at another location, or perhaps during a future transaction at your store.

Be prepared to provide as much customer information as you can - e.g. name on card, type of card (e.g. MasterCard) and card number.

Objectives

Completing the reading in this section will enable you to:

• Safely and effectively process card-not-present transactions, including international and internet transactions.
• Identify and successfully react to suspicious transactions.

Overview

Every day, the number of purchases conducted via mail, telephone, and internet increases. These transactions are significantly different from traditional in-store sales, in that neither the customer nor the credit card are present at the merchant location during the transaction, making it especially difficult to detect fraud.

Of necessity, card acceptance procedures for these “card-not-present” transactions are different from in-store, i.e. "card present" purchases. UCSC employees who conduct card-not-present transactions must exercise extreme caution and follow procedures precisely in order to verify — to the greatest extent possible — the cardholder’s identity and the validity of the purchase.

Many credit card processors require card-not-present merchants to ask customers for their Card Verification Value 2 (CVV2) number as an additional security measure.  See:  Security rules for additional information on CVV2 requirements.

This section covers basic card acceptance procedures for mail, telephone, and internet transactions. It also includes resources and best practices that all card-not-present merchants can use to prevent fraud and chargebacks.

Merchant web site requirements

The Payment Card Industry Standards require that certain content or features be included on your Web site. The following elements are intended to promote ease of use for online shoppers and reduce cardholder disputes and potential chargebacks.

Complete description of goods and services.

• Remember you have a global market, which increases opportunities for unintended misunderstandings or miscommunications. For example, if you sell electrical goods, be sure to state voltage requirements, which vary around the world.

Customer service contact information.

• This includes e-mail address and phone number. Online communication may not always be the most time-efficient or user-friendly for some customers. Including a customer service telephone number as well as an e-mail address promotes customer satisfaction.

Return, refund, and cancellation policy.

• This policy must be clearly posted on the merchant Web site.

Delivery policy.

• UCSC Merchants set their own policies about delivery of goods, that is, if they have any geographic or other restrictions on where or under what circumstances they provide delivery. Any restrictions on delivery must be clearly stated on the web site.

Country of origin.

• The permanent address of your establishment must be listed on the web site including the street name, number, city, state, country, and zip code.

Best practices for the web

Suggested best practices for UCSC Merchant Web sites include:

• Encourage cardholders to retain a copy of the transaction.
• Indicate when credit cards are charged.
• Provide order-fulfillment information.
• State timeframes for order processing and send an e-mail confirmation and order summary within one business day of the original order.
• Provide up-to-date stock information if an item is back-ordered.
• Explicitly state customer service timeframes.
• Ideally customer service e-mails or phone calls should be answered within two business days.
• State directly on the main Web site which security controls are used to protect customers.
• For instance, UCSC Merchants should clearly state that UCSC is PCI compliant.

Overview

Card-not-present merchants need to develop in-house policies and procedures for handling irregular or suspicious transactions and provide appropriate training for their sales staff. Being able to recognize suspicious orders may be particularly important for merchants involved in telephone sales, and employees should be given clear instructions on the steps to take to verify these transactions.

Signs of suspicious behavior/transactions

Be on the lookout for any of the following signs of suspicious customer behavior/transactions

• Hesitation:  Beware of customers who hesitate or seem uncertain when giving you personal information, such as a zip code or the spelling of a street or family name. This is often a sign that the person is using a false identity.
• Rush orders:  Urgent requests for quick or overnight delivery—the customer who “needs it yesterday”—should be another red flag for possible fraud. While often perfectly valid, rush orders are one of the common characteristics of “hit and run” fraud schemes aimed at obtaining merchandise for quick resale.
• Random orders:  Watch out also for customers who don’t seem to care if a particular item is out of stock —”You don’t have it in red? What colors do you have?”—or who order haphazardly—”I’ll take one of everything!” Again, orders of this kind may be intended for resale rather than personal use.
• Suspicious shipping address:  Scrutinize and flag any order with a ship to address that is different from the billing address on the cardholder’s account.
• Requests to ship merchandise to post office boxes or an office address are often associated with fraud.
• If you experience fraud on sales that are shipped, consider creating a list of those zip codes to identify possible areas where high fraud rates are common.  Verify any order that has a ship-to address in these areas.
• If your business does not typically service foreign customers, use caution when shipping to addresses outside the United States, particularly if you are dealing with a new customer or a very large order.
• When examining what appears to be an unusual order, keep in mind that if the sale sounds too good to be true, it probably is.

Manual processing (only where specifically authorized)

Authorization is required on all electronic payment transactions. Authorization should occur before any merchandise is shipped or service performed. The following process is critical for fraud prevention during card-not-present transactions.

Ask for card expiration date and CVV2

Whenever possible, card-not-present merchants should ask customers for their card expiration, or Good Thru date and include it in their authorization requests.

Including the date helps to verify that the card and transaction are legitimate. A mail order, telephone order, or internet order containing an invalid or missing expiration date may indicate counterfeit or other unauthorized use.

Asking for the Card Verification Value 2 (CVV2) helps to ensure the validity of the card being used and the fact that the buyer has  the credit card in hand.

Overview

Completing the reading in this section will enable you to:

• Understand the 12 Payment Card Industry Data Security Standards (PCI-DSS)
• Understand the rules and requirements of PCI
• Know your responsibilities as a UCSC Merchant and UCSC employee handling credit card information
• Identify the penalties for PCI non-compliance

Who must comply

PCI applies to all UCSC Merchants - meaning any UCSC location accepting electronic payments as legal tender. All UCSC Merchants, regardless of size and all employees having access to cardholder information, must comply with the PCI Data Security Standards.

Benefits to merchants

Beyond basic data security, full implementation of the PCI Data Security Standards benefits merchants in several ways.

• Customer service. Customers seek out merchants they feel are “safe.” Confident consumers are loyal customers. They come back again and again, and share their experiences with others.
• Cost containment. By protecting your customers, you also minimize your own exposure to risk and the direct and operational costs associated with compromised cardholder information.
• Public image. Information security is a frequent topic of media attention. An incident of data loss or compromise not only hurts customers; it can seriously damage the University's public image.

Introduction

The Payment Card Industry (PCI) Data Security Standards (DSS) Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for credit card data protection. The PCI Security Standards Council’s mission is to enhance credit card data security by fostering broad adoption of the PCI Security Standards. The 12 PCI Security Standards are listed below.

PCI security standards

Build and maintain a secure network

• Install and maintain a firewall configuration to protect data
• Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications

Implement strong access control measures

• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data

Regularly monitor and test networks

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

Maintain an information security policy

• Maintain a policy that addresses information security

What to do if security is compromised

If you ever feel unsure about the legitimacy of a card or the intentions of a customer, trust your instincts. No one is harmed by a false alarm – but if you ignore the warning signs of fraud, it could cost you, your store, and your customers a lot of time and money.

Security breach

This section covers the steps to take if you feel that your store’s security has been compromised. Read these steps carefully, so that you are prepared to implement them in the case of a security emergency.

If you experience a suspected or confirmed security breach:

• Immediately contain and limit the exposure. Physically disconnect the computer or device from the network and turn off any wireless connections.
• To prevent any further loss of data, conduct a thorough investigation as soon as possible. Investigations must be conducted within 24 hours of the compromise.
• If you suspect a compromise of data:

• Have your Supervisor contact ITS at  with:
• your contact information including name, phone number and e-mail address and
• a brief description of the security breach or issue/problem.

• ITS will determine the extent of the breach and notify the Police Department and the University Controller's Office to take the appropriate action.
• Do not access or alter compromised systems. Do not log onto the machine or change passwords.
• Preserve logs and electronic evidence. Log all actions taken.
• Be on HIGH alert and monitor all credit card systems.

In the event of a security breach, ITS will contact the University Controller's Office to discuss the compromise situation and review the actions required to demonstrate the ability to prevent future loss or theft of transaction information.

Merchant banks may be subject to fines of up to $500,000 per incident if a security breach is caused by a merchant or service provider who is not PCI compliant. Merchant banks will not be fined if the compromised merchant or service provider is PCI compliant at the time of the security breach.

UCSC merchant preparedness

Each UCSC Merchant location should maintain written procedures on the processing of credit card, debit card, and electronic payments. Those procedures need to include specific instructions on how and when to conduct Code 10 calls, and how to respond to a security breach. Written procedures should be made available to all employees.

The best advice of all

Trust your instincts! If a sale seems too good to be true, it probably is. We hear all too often that what a merchant thought to be a great sale, turned out to be fraud. So take the time to check out that huge order from a customer with whom you’ve never done business. That little bit of extra work may well prevent you from being the victim of a fraud scheme.

UCSC rules

All UCSC Merchants and employees must follow basic card acceptance rules for all electronic transactions. Careful and consistent adherence to the UCSC rules outlined in this section will help enhance customer satisfaction and increase your unit’s profitability. If you have any questions about any of the UCSC rules presented here, ask your supervisor for assistance.

Dollar minimums and maximums

Always honor valid credit cards, regardless of the dollar amount of the purchase. Imposing minimum or maximum purchase amounts is a violation of our Merchant agreement.

No surcharging

Always treat electronic transactions like any other transaction; that is, you may not impose any surcharge on over the counter credit card transactions.  You may, however, offer a discount for cash transactions, provided that the offer is clearly disclosed to customers and the cash price is presented as a discount from the standard price charged for all other forms of payment.

Taxes

Include any required taxes in the total transaction amount. Do not collect taxes separately in cash.

Deposit time limits

Deposit forms are due to the Main Cashier’s Office on a weekly basis. Your credit card terminal is to be cleared out on a nightly basis. 

Data storage

Merchants should also be aware of the following data security requirements:

• Magnetic-stripe data. Do not store magnetic-stripe data after receiving authorization. After a transaction is authorized, the full contents of track data, which is read from the magnetic stripe, must not be retained on any system. The account number, expiration date, and name are the only elements of track data that may be retained when held in a CISP compliant manner.
• Avoid security code storage. The Security Code, also known as the Card Verification Value 2 (CVV2), is the 3- or 4-digit value that is printed on the back of most credit cards. The one exception is American Express who prints the CVV2 on the front of the card, above and to the right of the embossed account number. The CVV2 number must never be retained or stored after a transaction. If the CVV2 number is recorded on a form when collected by phone, that data must be destroyed once the transaction is completed. All UCSC Merchants and employees are prohibited from storing security code data. When asking a cardholder for their security code, merchants must not document this information on any kind of paper order form or store it in any database.

Cardholder information

Keep cardholder account numbers and personal information confidential. Cardholders expect you to safeguard any personal or financial information they may give you in the course of a transaction. Keeping that trust is essential to fraud reduction and good customer service. Cardholder account numbers and other personal information should be released only to your merchant bank or processor, or as specifically required by law.

Penalties for PCI non-compliance

The Payment Card Industry has established fines of up to $500,000 per incident for security breaches when merchants are not PCI compliant.

In addition, it is required that all individuals whose information is believed to have been compromised must be notified in writing to be on alert for fraudulent charges. As such, the potential cost of a security breach can far exceed $500,000 when the cost of customer notification and recovery is calculated.

Potential cost of a security breach

• Fines of $500,000 per incident for being PCI non-compliant
• Increased audit requirements
• Potential for campus wide shut down of credit card activity by our merchant bank
• Cost of printing and postage for customer notification mailing
• Cost of staff time (payroll) during security recovery
• Cost of lost business during register or store closures and processing time
• Decreased sales due to marred public image and loss of customer confidence